Open allfro opened 7 years ago
Just for clarity: not even the OAuth2Request getter stores the client's authorities for some reason.
Have a bit similar trouble with this: https://github.com/spring-projects/spring-security-oauth/blob/ec215f79f4f73f8bb5d4b8a3ff9abe15b3335866/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Authentication.java#L38-L41
Pretend we have TokenEndpointAuthenticationFilter
and the user is authenticated. When request reaches this point
https://github.com/spring-projects/spring-security-oauth/blob/ec215f79f4f73f8bb5d4b8a3ff9abe15b3335866/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java#L143
the OAuth2Authentication
contains both user and client data. And clientAuth.getName()
returns user name and replace client name in this map.
Do I use this filter in incorrect way or this is design issue?
I came across an same issue ? I passed the SSO Server
verification,but when DefaultAccessTokenConverter#extractAuthentication
is building OAuth2Authentication
,OAuth2Authentication#authenticated
is false,although its construction parameters ((Authentication) user)#authenticated
is true
public OAuth2Authentication extractAuthentication(Map<String, ?> map) {
...
// user#authenticated is true
Authentication user = userTokenConverter.extractAuthentication(map);
...
// OAuth2Authentication#authenticated is false
return new OAuth2Authentication(request, user);
}
Hi again,
While I was debugging my OAuth2 endpoints I came across an issue(?) that I was wondering if anyone could provide some clarity on. Specifically, this line https://github.com/spring-projects/spring-security-oauth/blob/ec215f79f4f73f8bb5d4b8a3ff9abe15b3335866/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Authentication.java#L29 in the constructor of
OAuth2Authentication
which selects the authorities of a user or client depending on whether the authentication request is user-based or not, respectively. When looking at theAuthentication
object returned from theSecurityContextHolder
it is apparent that the client's authorities are no where to be found. It is also apparent from the JWT token decoding that the authorities of the user are populated. This seems counterintuitive a bit. Wouldn't you want to support a use-case where a preauthorization check could check if a client has a certain role and is operated by a specific user role as well? Could anyone provide some clarity on this design decision, please :)